View Issue Details

IDProjectCategoryView StatusLast Update
0034018mantisbtfilterspublic2024-05-12 12:34
Reporternebjanim Assigned Todregad  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version2.26.0 
Target Version2.26.2Fixed in Version2.26.2 
Summary0034018: Filter "assigned to" and "monitor by" shows <br /> between the users when selecting multiple (advanced filtering)
Description

This issue was already reported in 0024899 and solved according to the entry in 2.18.1.

But it still seems to be a problem. I have also compared with the latest version 2.27.0. There are no differences in the filter_form_api.php and MantisCoreFormatting.php compared to 2.26.0.
The issue behaves exactly the same in Chrome and Firefox.

Interestingly, the "Reporter" field works correctly. In the function print_filter_values_reporter_id there is only "echo $t_output;" as output.

As a test, I changed in the function print_filter_values_handler_id the line "echo string_display( $t_output );" to "echo $t_output;".

This solves the problem only for "Assigned to".

Unfortunately, it is not clear to me why I cannot reproduce this issue in your system. Do you have any ideas? What else can I check?

Many thanks in advance and sorry for the long text. I appreciate your help.

TagsNo tags attached.

Relationships

related to 0024899 closedatrol Filter assigned to shows
 

Activities

atrol

atrol

2024-03-11 11:31

developer   ~0068640

Do you have any 3rd party plugins installed?

nebjanim

nebjanim

2024-03-11 11:52

reporter   ~0068641

This is the list of installed plugins:
BasicAuth Plugin 0.01, Import/Export issues 2.26.0, MantisBT Core 2.26.0, MantisBT Formatting 2.26.0

I use the setting "$g_show_realname = ON;". But setting this to "OFF" shows the same behaviour.

The html code looks like shown below:

2024-03-11 16_48_11-Window.png (7,754 bytes)   
2024-03-11 16_48_11-Window.png (7,754 bytes)   
2024-03-11 16_49_16-Window.png (7,188 bytes)   
2024-03-11 16_49_16-Window.png (7,188 bytes)   
atrol

atrol

2024-03-11 14:53

developer   ~0068643

I was not able to reproduce the issue using the given informaion.
I tried also various MantisBT Formatting plugin settings, but didn't encounter the issue.

Did you run admin/check/index.php and fixed all errors and/or warnings?
Do you see any errors or warnings in your PHP and/or web server logs?
Do you see any errors in your browser console?
Which PHP version do you use?

dregad

dregad

2024-03-11 19:17

developer   ~0068644

Are you sure your filter_fom_api.php has not been modified locally vs the original distribution file [1] ?

nebjanim

nebjanim

2024-03-12 03:23

reporter   ~0068645

Thank you for your quick response. I will answer your question as follows:

  1. admin check: Looks good for me - attached anyway
  2. php/web server logs: none concerning MantisBT
  3. browser console: no errors, just a few css warnings
  4. php version: Apache/2.4.39 (Win64), PHP/7.3.5
  5. changes to filter_from_api.php: I've compared the whole directory to freshly downloaded 2.26.0 and reverted all my changes. No difference.
Admin_check.htm (12,022 bytes)   
<!DOCTYPE html>
<html><head>
	<meta http-equiv="Content-type" content="text/html; charset=UTF-8">
	<title>MantisBT Administration - Check Installation - MantisBT</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0">
	<link rel="stylesheet" type="text/css" href="MantisBT%20Administration%20-%20Check%20Installation%20-%20MantisBT-Dateien/default.css">
	<link rel="stylesheet" type="text/css" href="MantisBT%20Administration%20-%20Check%20Installation%20-%20MantisBT-Dateien/dropzone-5.5.0.min.css">
	<link rel="stylesheet" type="text/css" href="MantisBT%20Administration%20-%20Check%20Installation%20-%20MantisBT-Dateien/bootstrap-3.4.1.min.css">
	<link rel="stylesheet" type="text/css" href="MantisBT%20Administration%20-%20Check%20Installation%20-%20MantisBT-Dateien/font-awesome-4.7.0.min.css">
	<link rel="stylesheet" type="text/css" href="MantisBT%20Administration%20-%20Check%20Installation%20-%20MantisBT-Dateien/fonts.css">
	<link rel="stylesheet" type="text/css" href="MantisBT%20Administration%20-%20Check%20Installation%20-%20MantisBT-Dateien/bootstrap-datetimepicker-4.17.47.min.css">
	<link rel="stylesheet" type="text/css" href="MantisBT%20Administration%20-%20Check%20Installation%20-%20MantisBT-Dateien/ace.min.css">
	<link rel="stylesheet" type="text/css" href="MantisBT%20Administration%20-%20Check%20Installation%20-%20MantisBT-Dateien/ace-mantis.css">
	<link rel="stylesheet" type="text/css" href="MantisBT%20Administration%20-%20Check%20Installation%20-%20MantisBT-Dateien/ace-skins.min.css">

	<link rel="shortcut icon" href="https://<deleted>/mantis/images/favicon.ico" type="image/x-icon">
	<link rel="search" type="application/opensearchdescription+xml" title="MantisBT: Volltextsuche" href="https://<deleted>/mantis/browser_search_plugin.php?type=text">
	<link rel="search" type="application/opensearchdescription+xml" title="MantisBT: Suche nach Eintrags-ID" href="https://<deleted>/mantis/browser_search_plugin.php?type=id">
	<script type="text/javascript" src="MantisBT%20Administration%20-%20Check%20Installation%20-%20MantisBT-Dateien/javascript_config.php"></script>
	<script type="text/javascript" src="MantisBT%20Administration%20-%20Check%20Installation%20-%20MantisBT-Dateien/javascript_translations.php"></script>
	<script type="text/javascript" src="MantisBT%20Administration%20-%20Check%20Installation%20-%20MantisBT-Dateien/jquery-2.2.4.min.js"></script>
	<script type="text/javascript" src="MantisBT%20Administration%20-%20Check%20Installation%20-%20MantisBT-Dateien/dropzone-5.5.0.min.js"></script>
	<script type="text/javascript" src="MantisBT%20Administration%20-%20Check%20Installation%20-%20MantisBT-Dateien/common.js"></script>
</head>
<body class="skin-3">
<style>
* { font-family: "Open Sans"; } 
h1, h2, h3, h4, h5 { font-family: "Open Sans"; } 
</style>
<div id="navbar" class="navbar navbar-default navbar-collapse navbar-fixed-top noprint"><div id="navbar-container" class="navbar-container"><button id="menu-toggler" type="button" class="navbar-toggle menu-toggler pull-left hidden-lg hidden-md" data-target="#sidebar"><span class="sr-only">Toggle sidebar</span><span class="icon-bar"></span><span class="icon-bar"></span><span class="icon-bar"></span></button><div class="navbar-header"><a href="https://<deleted>/mantis/my_view_page.php" class="navbar-brand"><span class="smaller-75"> MantisBT </span></a><button type="button" class="navbar-toggle navbar-toggle collapsed pull-right hidden-sm hidden-md hidden-lg" data-toggle="collapse" data-target=".navbar-buttons,.navbar-menu"><span class="sr-only">Toggle user menu</span></button></div><div class="navbar-buttons navbar-header navbar-collapse collapse"><ul class="nav ace-nav"></ul></div></div></div><div class="main-container" id="main-container" style="padding-top: 45px;">
<div class="space-10"></div>
<ul class="nav nav-tabs padding-18">
	<li><a href="https://<deleted>/mantis/admin/index.php"><i class="fa fa-info-circle blue ace-icon"></i></a></li>
	<li class="active"><a href="https://<deleted>/mantis/admin/check/index.php">Check Installation</a></li>
	<li><a href="https://<deleted>/mantis/admin/system_utils.php">System Utilities</a></li>
	<li><a href="https://<deleted>/mantis/admin/test_langs.php">Test Lang</a></li>
	<li><a href="https://<deleted>/mantis/admin/email_queue.php">Email Queue</a></li>
</ul>

<div class="col-md-12 col-xs-12">
<div class="space-10"></div>

<div class="widget-box widget-color-blue2">
<div class="widget-header widget-header-small">
	<h4 class="widget-title lighter">
		Checking your MantisBT installation...
	</h4>
</div>

<div class="widget-body">
	<div class="widget-toolbox padding-8 clearfix">
		Verbosity: <a href="https://<deleted>/mantis/admin/check/index.php?show_all=1&amp;show_errors=0">Show passed tests</a> | <a href="https://<deleted>/mantis/admin/check/index.php?show_all=0&amp;show_errors=1">Show verbose error messages</a>	</div>
<div class="widget-main no-padding">
<div class="table-responsive">
<table class="table table-bordered table-condensed">

	<tbody><tr>
		<td colspan="2" class="thead2"><strong>PHP</strong></td>
	</tr>
	<tr>
		<td>display_errors php.ini directive is disabled<br><em>For security reasons this directive should be disabled on all production and Internet facing servers.</em></td>
		<td class="alert alert-warning">WARN</td>
	</tr>
	<tr>
		<td>display_startup_errors php.ini directive is disabled<br><em>For security reasons this directive should be disabled on all production and Internet facing servers.</em></td>
		<td class="alert alert-warning">WARN</td>
	</tr>
	<tr>
		<td colspan="2" class="thead2"><strong>Database</strong></td>
	</tr>
	<tr>
		<td>MySQL Lifecycle and Release Support data availability<br><em>Release information for MySQL 10.1 series is not available, unable to perform the lifecycle checks.</em></td>
		<td class="alert alert-warning">WARN</td>
	</tr>
	<tr>
		<td colspan="2" class="thead2"><strong>Configuration</strong></td>
	</tr>
	<tr>
		<td colspan="2" class="thead2"><strong>Paths</strong></td>
	</tr>
	<tr>
		<td>core_path configuration option is set to a path outside the web root<br><em>For increased security it is recommended that you move the core_path directory outside the web root.</em></td>
		<td class="alert alert-warning">WARN</td>
	</tr>
	<tr>
		<td>class_path configuration option is set to a path outside the web root<br><em>For increased security it is recommended that you move the class_path directory outside the web root.</em></td>
		<td class="alert alert-warning">WARN</td>
	</tr>
	<tr>
		<td>library_path configuration option is set to a path outside the web root<br><em>For increased security it is recommended that you move the library_path directory outside the web root.</em></td>
		<td class="alert alert-warning">WARN</td>
	</tr>
	<tr>
		<td>config_path configuration option is set to a path outside the web root<br><em>For increased security it is recommended that you move the config_path directory outside the web root.</em></td>
		<td class="alert alert-warning">WARN</td>
	</tr>
	<tr>
		<td>language_path configuration option is set to a path outside the web root<br><em>For increased security it is recommended that you move the language_path directory outside the web root.</em></td>
		<td class="alert alert-warning">WARN</td>
	</tr>
	<tr>
		<td>Directory <em><a href="https://<deleted>/mantis/doc">doc</a></em> does not need to exist within the MantisBT root<br><em>The doc directory within the MantisBT root should be removed as it is not needed for the live operation of MantisBT.</em></td>
		<td class="alert alert-warning">WARN</td>
	</tr>
	<tr>
		<td colspan="2" class="thead2"><strong>Webservice</strong></td>
	</tr>
	<tr>
		<td>SOAP Extension Enabled<br><em>Enable the PHP SOAP extension.</em></td>
		<td class="alert alert-warning">WARN</td>
	</tr>
	<tr>
		<td colspan="2" class="thead2"><strong>Cryptography</strong></td>
	</tr>
	<tr>
		<td>login_method is set to MD5<br><em>MD5 password encryption is currently the strongest password storage method supported by MantisBT.</em></td>
		<td class="alert alert-warning">WARN</td>
	</tr>
	<tr>
		<td colspan="2" class="thead2"><strong>Internationalization</strong></td>
	</tr>
	<tr>
		<td colspan="2" class="thead2"><strong>Localization</strong></td>
	</tr>
	<tr>
		<td colspan="2" class="thead2"><strong>Email</strong></td>
	</tr>
	<tr>
		<td>All users must have an e-mail address<br><em>10 users without e-mail address found: <deleted> </a></em></td>
		<td class="alert alert-danger">FAIL</td>
	</tr>
	<tr>
		<td>There are no duplicate email addresses, regardless of case<br><em>9 duplicate e-mail addresses found: <deleted> </em></td>
		<td class="alert alert-warning">WARN</td>
	</tr>
	<tr>
		<td colspan="2" class="thead2"><strong>Anonymous access</strong></td>
	</tr>
	<tr>
		<td colspan="2" class="thead2"><strong>Attachments</strong></td>
	</tr>
	<tr>
		<td colspan="2" class="thead2"><strong>Display</strong></td>
	</tr>
	<tr>
		<td colspan="2" class="thead2"><strong>Custom Fields</strong></td>
	</tr>
	<tr>
		<td colspan="2" class="thead2"><strong>Plugins</strong></td>
	</tr>
</tbody></table>
</div>
</div>
</div>
</div>

<div class="space-10"></div>

	<div class="alert alert-danger" id="check-notice-failed">
		Some tests failed. Please review, correct them and run the checks again before using MantisBT.
	</div>

<div class="alert alert-danger" id="notice-delete-admin">
	For security reasons, you should delete (or at least restrict access to) the
	<em>admin</em> directory.
	Refer to the <a href="http://mantisbt.org/docs/master/en-US/Admin_Guide/html-desktop/#admin.install.postcommon">
		MantisBT Admin Guide</a>
	for further details.
</div>

</div>
<div class="clearfix"></div>
<div class="space-20"></div>
<div class="footer noprint">
<div class="footer-inner">
<div class="footer-content">
<div class="col-md-6 col-xs-12 no-padding">
<address>
<strong>Powered by <a href="https://www.mantisbt.org/" title="bug tracking software">MantisBT  2.26.0</a></strong> <br>
<small>Copyright © 2000 - 2024 MantisBT Team</small><br><small>Kontaktieren Sie den <a href="<deleted>" title="Den Webmaster per E-Mail kontaktieren.">Administrator</a> bei Problemen</small><br>
</address>
</div>
<div class="col-md-6 col-xs-12">
<div class="pull-right" id="powered-by-mantisbt-logo">
<a href="https://www.mantisbt.org/" title="Mantis Bug Tracker: a free and open source web based bug tracking system."><img src="MantisBT%20Administration%20-%20Check%20Installation%20-%20MantisBT-Dateien/mantis_logo.png" alt="Powered by Mantis Bug Tracker: a free and open source web based bug tracking system." width="102" height="35"></a>
</div>
</div>
</div>
</div>
</div>
<a class="btn-scroll-up btn btn-sm btn-inverse" id="btn-scroll-up" href="#">
<i class="fa fa-angle-double-up ace-icon icon-only bigger-110"></i>
</a>
</div>
	<script type="text/javascript" src="MantisBT%20Administration%20-%20Check%20Installation%20-%20MantisBT-Dateien/bootstrap-3.4.1.min.js"></script>
	<script type="text/javascript" src="MantisBT%20Administration%20-%20Check%20Installation%20-%20MantisBT-Dateien/moment-with-locales-2.29.4.min.js"></script>
	<script type="text/javascript" src="MantisBT%20Administration%20-%20Check%20Installation%20-%20MantisBT-Dateien/bootstrap-datetimepicker-4.17.47.min.js"></script>
	<script type="text/javascript" src="MantisBT%20Administration%20-%20Check%20Installation%20-%20MantisBT-Dateien/typeahead.jquery-1.3.0.min.js"></script>
	<script type="text/javascript" src="MantisBT%20Administration%20-%20Check%20Installation%20-%20MantisBT-Dateien/list-2.3.1.min.js"></script>
	<script type="text/javascript" src="MantisBT%20Administration%20-%20Check%20Installation%20-%20MantisBT-Dateien/ace.min.js"></script>


</body></html>
Admin_check.htm (12,022 bytes)   
dregad

dregad

2024-03-12 04:06

developer   ~0068646

Can you add var_dump($t_output, string_display( $t_output )); at the end of print_filter_values_handler_id() function and provide screenshot of output

dregad

dregad

2024-03-25 05:00

developer   ~0068701

nebjanim,

You did not provide any feedback; I am therefore resolving this issue as "unable to reproduce".

Feel free to reopen the issue at a later time and provide the requested information.

nebjanim

nebjanim

2024-03-26 06:04

reporter   ~0068714

Sorry, I've been very busy the last few days.
Here is the screenshot you requested. I have filtered two names and made them unrecognizable in the screenshot and replaced them with placeholders.

2024-03-26 10_56_47-34018.png (5,837 bytes)   
2024-03-26 10_56_47-34018.png (5,837 bytes)   
dregad

dregad

2024-03-26 12:48

developer   ~0068719

I believe I found the root cause.

Did you change the default value for the following configs ? If so, please post the values (I suspect you have removed br from the list of allowed tags)

  • $g_html_valid_tags
  • $g_html_valid_tags_single_line
nebjanim

nebjanim

2024-03-27 02:41

reporter   ~0068721

Your assumption is correct.
$g_html_valid_tags = 'b, i, u';
I have not overwritten the other variable.
Is there a connection that should have been clear to me?

dregad

dregad

2024-03-27 03:44

developer   ~0068722

Is there a connection that should have been clear to me?

No it was not obvious at all.

I ended up tracing through the code to see exactly what was happening, and it turns out that the final step of text processing in MantisCoreFormatting plugin (processText() method) calls string_restore_valid_html_tags(), which basically undoes the effect of earlier htmlspecialchars() for allowed tags. This explains why @atrol and I could not reproduce the problem, because we both tested with standard settings, and br is allowed in $g_html_valid_tags by default.

So now that the reason for the behavior has been clarified, I can confirm that the workaround you proposed initially

I changed in the function print_filter_values_handler_id the line "echo string_display( $t_output );" to "echo $t_output;".

is correct.

I will prepare a fix.

dregad

dregad

2024-03-27 09:24

developer   ~0068723

PR https://github.com/mantisbt/mantisbt/pull/1982

nebjanim

nebjanim

2024-03-28 03:58

reporter   ~0068735

I have implemented the changes. The problem is no longer repeatable.
Many thanks for your help.

Related Changesets

MantisBT: master-2.26 bcf62d6e

2024-03-27 08:10

dregad


Details Diff
Don't call string_display() on already-escaped data

This causes display of `<br />` tags on Advanced Filter form when
multiple values for Assigned To and Monitored by when `br` is not
allowed in $g_valid_html_tags.

Fixes 0034018
Affected Issues
0034018
mod - core/filter_form_api.php Diff File